Cybersecurity researchers have discovered a vulnerability in Tesla vehicles that could allow thieves to steal cars without breaking glass or hotwiring. The researchers demonstrated how a simple phishing attack could be used to commandeer a Tesla vehicle, highlighting concerns for car theft, privacy, and safety. Tesla owners should be aware of this vulnerability and take necessary precautions to protect their vehicles.
Understanding the Vulnerability in Tesla Vehicles
( Credit to: Thestreet )
A recent discovery by cybersecurity researchers has exposed a vulnerability in Tesla vehicles that could potentially lead to car theft. This article explores the findings of researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc., who demonstrated how a simple phishing attack could be used to commandeer a Tesla vehicle.
( Credit to: Thestreet )
In their demonstration, the researchers highlighted a concerning flaw that could allow thieves to steal Teslas without breaking glass or hotwiring. By setting up a captive Wi-Fi network named "Tesla Guest" and creating a fake webpage resembling the Tesla login page, potential thieves could trick Tesla drivers into providing their login credentials.
The Phishing Attack Method
The researchers explained how a potential thief could stake out a location frequented by Tesla drivers, such as a Tesla Supercharger. By setting up a Wi-Fi network that appears to be Tesla's free Wi-Fi, the thief could prompt a Tesla driver to enter their username and password on a fake login page.
Unbeknownst to the driver, their login information would be stolen, and the thief would attempt to log into the Tesla app using the stolen credentials. The thief would then receive a two-factor authentication code on the driver's app, which, if entered on the fake website, would grant the hacker full access to the Tesla account.
Once logged in, the thief could clone a "phone key" that would enable them to unlock, lock, and control the car at will. In the researchers' demonstration, they were even able to start the car using this method.
Concerns for Car Theft, Privacy, and Safety
This vulnerability raises concerns not only for potential car theft but also for the privacy and safety of Tesla owners. The Tesla app allows owners to track their vehicles and operate certain functions remotely, meaning thieves with stolen login information could easily stalk their victims and steal their vehicles at their convenience.
While Tesla provides physical key cards to activate phone keys and physical key fobs, the researchers noted that the key card is required to remove access to the car. Additionally, the owner receives a notification when a key is removed. However, the key card is needed to pair a phone key to a car when the owner is physically distant from the vehicle.
Upon informing Tesla about these vulnerabilities, the researchers received a response stating that the demonstrated phone key activation was intended behavior. In light of these findings, the researchers recommended that Tesla make key card activation mandatory when adding another phone key and notify owners when new keys are created.
Prioritizing Cybersecurity in the Automotive Industry
This discovery serves as a reminder of the importance of cybersecurity in the automotive industry. As vehicles become increasingly connected and reliant on digital systems, manufacturers must prioritize the security of their products to protect customers from potential threats.
Addressing this vulnerability in Tesla vehicles could prevent future car thefts and ensure the safety and peace of mind of their customers.
